SAML Issuer Backend
- SAML Service
- IssuerDB
- Register LemonLDAP::NG on partner Service Provider
- Register partner Service Provider on LemonLDAP::NG
Presentation
Configuration
SAML Service
See SAML service configuration chapter.IssuerDB
In General Parameters > Modules > Issuer module, select SAML v2.
You can add an Issuer rule that will be checked to allow a user to use Issuer module. This can be helpful to prevent some users to use the SAML module. Set in in General Parameters > Advanced Parameters > Security > Issuer Activation Rule.
For example, allow only users from "SAML" group:
$groups =~ /SAML/
Register LemonLDAP::NG on partner Service Provider
After configuring SAML Service, you can export metadata to your partner Service Provider. They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata.
Register partner Service Provider on LemonLDAP::NG
In the Manager, select node Servce Providers and click on New metadatas:

The SP name is asked, enter it and click OK.
Now you have access to the SP parameters list.
Metadata
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).
You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
Exported attributes
For each attribute, you can set:
- Key name: name of the key in LemonLDAP::NG session
- Mandatory: if set to "On", then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitely requested in an attribute request.
- Name: SAML attribute name.
- Friendly Name: optional, SAML attribute friendly name.
- Format: optional, SAML attribute format.
Options
Authentication response
- Default NameID format: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.
- One Time Use: set the OneTimeUse flag in authentication response.
Signature
These options override service signature options (see SAML service configuration).
- Sign SSO message: sign SSO message
- Check SSO message signature: check SSO message signature
- Sign SLO message: sign SLO message
- Check SLO message signature: check SLO message signature
Security
- Encryption mode: set the encryption mode for this IDP (None, NameID or Assertion).